OpenID Connect Client (openidConnectClient)

OpenID Connect client.

Name Type Default Description

accessTokenInLtpaCookie

boolean

false

Specifies whether the LTPA token includes the access token.

allowCustomCacheKey

boolean

true

Specifies if a custom cache key is used to store users in an authentication cache. Set this to false when using the jwtsso feature to allow the security subject to be constructed directly from the jwtsso cookie. The default value is true.

audiences

string

Specifies a comma-separated list of trusted audiences that is verified against the aud claim in the JSON web token.

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authenticationTimeLimit

A period of time with millisecond precision

420s

Maximum duration in milliseconds between redirection to the authentication server and return from the authentication server. Cookies expire after this duration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnSessionDisabled

boolean

true

An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.

authorizationEndpointUrl

string

Specifies an Authorization endpoint URL.

clientId

string

Identity of the client.

clientSecret

Reversably encoded password (string)

Secret key of the client.

createSession

boolean

true

Specifies whether to create an HttpSession if the current HttpSession does not exist.

disableIssChecking

boolean

false

Require the issuer claim to be absent when validating the OAuth token introspection response for inbound token propagation.

disableLtpaCookie

boolean

false

Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead.

discoveryEndpointUrl

string

Specifies a discovery endpoint URL for an OpenID Connect provider.

discoveryPollingRate

A period of time with millisecond precision

300s

Duration rate in milliseconds at which the OpenID Connect client checks for updates to the discovery file. The checking is done only if there is an authentication failure. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

forwardLoginParameter

string

Specifies a comma-separated list of parameter names to forward to the OpenID Connect provider. If a protected resource request includes one or more of the specified parameters, the OpenID Connect client will include those parameters and their values in the authorization endpoint request to the OpenID Connect provider.

grantType

  • authorization_code

  • implicit

authorization_code

Specifies the grant type to use for this client. Use of the responseType attribute is preferred instead.
authorization_code
Authorization code grant type
implicit
Implicit grant type

groupIdentifier

string

groupIds

Specifies a JSON attribute in the ID token that is used as the name of the group that the authenticated principal is a member of.

headerName

string

The name of the header which carries the inbound token in the request.

hostNameVerificationEnabled

boolean

false

Specifies whether to enable host name verification.

httpsRequired

boolean

true

Require SSL communication between the OpenID relying party and provider service.

id

string

A unique configuration ID.

inboundPropagation

  • none

  • required

  • supported

none

Controls the operation of the token inbound propagation of the OpenID relying party.
none
Do not support inbound token propagation
required
Require inbound token propagation
supported
Support inbound token propagation

includeIdTokenInSubject

boolean

true

Specifies whether to include ID token in the client subject.

initialStateCacheCapacity

int
Min: 0

3000

Specifies the beginning capacity of state cache. The capacity grows bigger when needed by itself.

isClientSideRedirectSupported

boolean

true

Specifies whether the client supports redirect at client side.

issuerIdentifier

string

A case-sensitive URL using the HTTPS scheme that contains scheme, host and optionally port number and path components. Specify multiple values as a comma separated list.

jwkClientId

string

Specifies the client identifier to include in the basic authentication scheme of the JWK request.

jwkClientSecret

Reversably encoded password (string)

Specifies the client password to include in the basic authentication scheme of the JWK request.

jwkEndpointUrl

string

Specifies a JWK endpoint URL.

mapIdentityToRegistryUser

boolean

false

Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject.

nonceEnabled

boolean

false

Enable the nonce parameter in the authorization code flow.

reAuthnCushion

A period of time with millisecond precision

0s

The time period to authenticate a user again when its tokens are about to expire. The expiration time of an ID token is specified by its exp claim. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAccessTokenExpire

boolean

true

Authenticate a user again when its authenticating access token expires and disableLtpaCookie is set to true.

realmIdentifier

string

realmName

Specifies a JSON attribute in the ID token that is used as the realm name.

realmName

string

Specifies a realm name to be used to create the user subject when the mapIdentityToRegistryUser is set to false.

redirectJunctionPath

string

Specifies a path fragment to be inserted into the redirect URL, after the host name and port. The default is an empty string.

redirectToRPHostAndPort

string

After authorization, the relying party will be redirected to this destination, instead of the default. The default is the origin of the relying party request.

resource

string

Resource parameter is included in the request.

responseType

  • code

  • id_token

  • id_token token

  • token

Specifies the response requested from the provider, either an authorization code or implicit flow tokens.
code
Authorization code
id_token
ID token
id_token token
ID token and access token
token
Access token

scope

string (with whitespace trimmed off)

openid profile

OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider.

signatureAlgorithm

  • HS256

  • RS256

  • none

HS256

Specifies the signature algorithm that will be used to verify the signature of the ID token.
HS256
Use the HS256 signature algorithm to sign and verify tokens
RS256
Use the RS256 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed

sslRef

A reference to top level ssl element (string).

Specifies an ID of the SSL configuration that is used to connect to the OpenID Connect provider.

tokenEndpointAuthMethod

  • basic

  • post

post

The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.

tokenEndpointUrl

string

Specifies a token endpoint URL.

tokenReuse

boolean

false

Specifies whether JSON web tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token.

trustAliasName

string

Key alias name to locate public key for signature validation with asymmetric algorithm.

trustStoreRef

A reference to top level keyStore element (string).

A keystore containing the public key necessary for verifying the signature of the ID token.

uniqueUserIdentifier

string

uniqueSecurityName

Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject.

useSystemPropertiesForHttpClientConnections

boolean

false

Specifies whether to use Java system properties when the OpenID Connect client creates HTTP client connections. Set this property to true if you want the connections to use the http* or javax* system properties.

userIdentifier

string

Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used.

userIdentityToCreateSubject

string

sub

Specifies a user identity in the ID token used to create the user subject.

userInfoEndpointEnabled

boolean

false

Specifies whether the User info endpoint is contacted.

userInfoEndpointUrl

string

Specifies a User Info endpoint URL

validationEndpointUrl

string

The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod.

validationMethod

  • introspect

  • userinfo

introspect

The method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo endpoint

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

ip

string

Specifies the remote host TCP/IP address.

matchType

  • contains

  • equals

  • greaterThan

  • lessThan

  • notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, <requestHeader id="sample" name="email" matchType="contains"/>.

authFilter > requestUrl

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

Name Type Default Description

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

Name Type Default Description

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authzParameter

Specifies custom parameters to send to authorization endpoint of the OpenID Connect provider.

Name Type Default Description

id

string

A unique configuration ID.

name

string

Specifies name of the additional parameter.

value

string

Specifies value of the additional parameter.

tokenParameter

Specifies custom parameters to send to token endpoint of the OpenID Connect provider.

Name Type Default Description

id

string

A unique configuration ID.

name

string

Specifies name of the additional parameter.

value

string

Specifies value of the additional parameter.